Bryan Ruby


Thoughts, Words, and Deeds

Security

As Facebook Removes Fake Accounts, Spam Industry Charges More

Fake News  - Pixabay CC0 Public Domain

NBC News recently posted an interesting article where the author notes that the spam industry follows the same Law of Supply and Demand as any capitalist-loving business does. As social networks crack down on fake accounts and fake news, the spam industry is able to charge their customers more to establish such inauthentic accounts.

Facebook shut down as many as 30,000 fake accounts in the past week — but that's unlikely to hurt the multi-million-dollar spam industry.

In fact, since Facebook's post-election housecleaning, it's become even more lucrative for spammers to pump out "inauthentic accounts." The asking price on the black market for 1,000 fake accounts used to be $20, but security changes by the social network giant only succeeded in driving up prices.

"If you go to the underground markets where they sell fake Facebook accounts, you can buy 1,000 of these for $300 to $400," Damon McCoy, a New York University computer science professor specializing in cybercrime, told NBC News.

Fighting inauthentic accounts and inauthentic activity is not new to social networks. In recent years, Facebook has put a lot of effort into reducing such activities by closing accounts responsible for fake likes and fake news. Last week, Shabnam Shaik, Facebook's Security Technical Program Manager, acknowledged  the recent efforts of his security team to fight the spread of misinformation on their social network.

Uncle Sam Wants You To Update Your WordPress Plugins

In times of war, you may be asked what you can do for your country. In modern times, your country may be asking you to do your part by updating your WordPress plugins.

The United States' Federal Bureau of Investigation (FBI), through the Internet Crime Complaint Center (IC3), issued a public service announcement last week recommending website administrators to update their Wordpress sites. More specifically, the bureau wants you to update your third-party WordPress plugins.

Why is the FBI worried about your content management system? Apparently, continuous website defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). According to the FBI, the defacements have affected website operations and the communication platforms of:

  • News organizations
  • Commercial entities
  • Religious institutions
  • Federal/state/local governments
  • Foreign governments,
  • A variety of other domestic and international webites.

While one wouldn't expect WordPress to house national or company secrets, all this unwanted disruption translates to cost in terms of lost business revenue and expenditures on technical services to repair infected computer systems.

But why is the FBI focused on WordPress and not another CMS? In part, it's because Wordpress is popular and used by many. The more sites vulnerable to known and specific exploits, the easier it is for hackers to find their target. All victims of the defacements identified by the FBI shared common WordPress plug-in vulnerabilities easily exploited by commonly available hacking tools.

Drupal Security: Not Shocking but Responsible

Over the years, I've made it an unwritten policy not to sensationalize bug fixes and security vulnerabilities in content management systems. While there may be great interest in such stories, I believe such stories have a tendency to cause more harm than good. When sensationalized, such articles tend to cause customers to address security concerns with emotion instead of logic which is never a good thing. So, when the security vulnerability known as "Drupageddon" broke and Drupal developer Bevan Rudge posted "Your Drupal website has a backdoor", I knew this story was going to eventually reach mainstream media. In the meantime, I've been struggling on how best to write this article and what story need to be told.

For those that don't know, Drupageddon is the highly critical SQL injection vulnerability in Drupal 7 core and was fully disclosed by the Drupal Security Team in SA-CORE-2014-005. Since the dawn of time when databases were introduced to websites, SQL injection vulnerabilities have been discovered and in the majority of cases when found are patched by their developers and system administrators. What makes Drupageddon particularly nasty is the vulnerability can be exploited by users not even logged into your site (in Drupal they're called anonymous users). Worse, if you didn't update your site quickly enough, your site may still be compromised even after applying the fix (in Drupal 7.32 or later versions).

Denial of Service on an Apache server

Last week was a very frustrating time for me. For whatever reason, an unusually number of botnets decided to zero in on my Drupal site and created what I call an unintentional  Denial of Service attack (DOS). The attack was actually from spambots looking looking for script vulnerabilities found mainly in older versions of e107 and WordPress. Since the target of these spambots were non-Drupal pages, my Drupal site responded by delivering an unusually large number of "page not found" and "access denied" error pages. Eventually, these requests from a multitude of IPs were too many for my server to handle and for all intents and purposes the botnet attack caused a distributed denial of service that prevented me and my users from accessing the site.

These type of attacks on Drupal sites and numerous other content management systems are nothing new. However, my search at Drupal.org as well as Google didn't really find a solution that completely addressed my problem. Trying to prevent a DDoS attack isn't easy to begin with and at first the answers alluded me.

I originally looked at Drupal for the solution to my problems. While I've used Mollom for months, Mollom is designed to fight off comment spam while the bots attacking my sight were looking for script vulnerabilities that didn't exist. So with Mollom being the wrong tool to fight off this kind of attack, I decided to take a look at the Drupal contributed model Bad Behavior. Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots then blocks such access and logs their attempts. I actually installed an "unofficial" version of the Bad Behavior module which packages the Bad Behavior 2.1 scripts and utilizes services from Project Honey Pot.

As I had already suspected, looking for Drupal to solve this botnet attack wasn't the answer. Pretty much all Bad Behavior did for me was to take the time Drupal was spending delivering "page not found" error pages and use it to deliver "access denied" error pages. My Drupal site is likely safer with the Bad Behavior module installed, but it was the wrong tool to help me reduce the botnets from overtaxing Drupal running on my server. Ideally, you would like to prevent the attacks ever reaching your server by taking a look at such things as the firewall, router, and switches. However, since I didn't have access to the hardware, I decided it was time to look at my Apache configuration.

Flirting Robots

I felt fear, awe, and even some admiration when I read at CNET about the latest social engineering attack dreamed up by those ingenious Russian hackers.

Those entering online dating forums risk having more than their hearts stolen.

A program that can mimic online flirtation and then extract personal
information from its unsuspecting conversation partners is making the
rounds in Russian chat forums, according to security software firm PC Tools.

The artificial intelligence of CyberLover's automated chats is good
enough that victims have a tough time distinguishing the "bot" from a
real potential suitor, PC Tools said. The software can work quickly
too, establishing up to 10 relationships in 30 minutes, PC Tools said.
It compiles a report on every person it meets complete with name,
contact information, and photos.

Then again, there is one particular flaw when it comes to pulling identifiable information in an online dating forum. The flaw? It's a dating forum. I fear that this bot may find out that I'm a CEO of a multi-billion dollar company who likes to fly to the coast on weekends so I can sail one of my many yachts. Oh, I'm also still in my 20s, a chick magnet, and a full head of hair remains on top. Hopefully, the bots will not find this truthful information about me. Hmm, the feelings of fear, awe, and admiration I once felt for these hackers aren't so strong afterall.

The botnets are coming to a Windows PC near you

The November 20, 2006 article "Spam surge linked to hackers" from eWeeks is a must read. Unfortunately, I can't find the actual online version of the article in print.

The article discusses the increasing complexity hackers are using botnets running on tens of thousands of hijacked Windows computers to spread spam. The article focuses on the research by SecureWorks regarding the malware trojan called Troj/SpamThru. Some scary unique features have been identified with this trojan including:

  • Peer to Peer Communication (hackers can have control without a server)
  • Anti-Virus Scanning (Uses anti-virus software to scan against rivals)
  • Template-based spam
  • Almost half of the PCs infected are PCs with Windows XP SP2 installed (outside of Vista, Microsoft's most secure Windows system to date).

Do I bring this up because I don't like Microsoft products? Not at all and in fact as I write this post I'm using a Windows XP system. My point is that if you plan on using Windows XP do all of us a favor and be sure you've installed on your PC the latest software updates and security patches available.

Shame on you if you are still using an older and even less secure Windows system such as 98, ME, 2000, XP, XP SP1. If you aren't running a firewall and/or anti-virus software with your Windows system because of "performance issues"...either get yourself some new hardware or consider loading an alternative operating system such as Linux.

Above all, start practicing safe computing. I don't want to hear any excuses why you're not...